• Nato Boram@lemmy.world
    link
    fedilink
    arrow-up
    27
    ·
    1 year ago

    Hi! I noticed an issue with the headers sent by Lemmy.world.

    Headers sent from and to this website’s official UI look like this:

    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Fri, 07 Jul 2023 23:35:17 GMT
    content-type: application/json
    vary: accept-encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
    content-encoding: gzip
    access-control-allow-origin: *
    access-control-allow-methods: GET, POST, PUT, OPTIONS
    access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
    access-control-expose-headers: content-encoding, content-type, vary, Content-Length,Content-Range
    X-Firefox-Spdy: h2
    

    Which is fine. However, headers received by custom clients look like this:

    HTTP/2 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Fri, 07 Jul 2023 23:33:50 GMT
    content-type: application/json
    vary: accept-encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
    content-encoding: gzip
    access-control-allow-origin: https://natoboram.github.io
    access-control-expose-headers: content-encoding, access-control-allow-origin, content-type, vary
    access-control-allow-origin: *
    access-control-allow-methods: GET, POST, PUT, OPTIONS
    access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
    access-control-expose-headers: Content-Length,Content-Range
    X-Firefox-Spdy: h2
    

    There’s two access-control-allow-origin! This still breaks web clients.